honeyweb-core 2.0.0 → 2.0.3

package/ai/gemini.js

@@ -1,43 +1,93 @@
 // honeyweb-core/ai/gemini.js
-// Google Gemini API client (extracted from main index.js)
+// Google Gemini API client
 
 const { GoogleGenerativeAI } = require('@google/generative-ai');
 
+// Retry config
+const MAX_RETRIES = 3;
+const INITIAL_BACKOFF_MS = 2000;
+
 class GeminiClient {
     constructor(config) {
-        this.enabled = config.enabled && config.apiKey;
-        this.timeout = config.timeout || 10000;
+        this.enabled = config.enabled && !!config.apiKey;
+        this.timeout = config.timeout || 50000;
+        this.modelName = config.model || 'gemini-3-flash-preview';
 
         if (this.enabled) {
             this.genAI = new GoogleGenerativeAI(config.apiKey);
-            this.model = this.genAI.getGenerativeModel({ model: config.model || 'gemini-2.0-flash-exp' });
+            this.model = this.genAI.getGenerativeModel({ model: this.modelName });
+            console.log(`[Gemini] Initialized with model: ${this.modelName}`);
         }
     }
 
     /**
-     * Generate AI analysis
+     * Sleep helper
+     */
+    _sleep(ms) {
+        return new Promise(resolve => setTimeout(resolve, ms));
+    }
+
+    /**
+     * Check if an error is retryable
+     */
+    _isRetryable(err) {
+        const msg = err.message || '';
+        return msg.includes('503')
+            || msg.includes('429')
+            || msg.includes('500')
+            || msg.includes('Service Unavailable')
+            || msg.includes('overloaded')
+            || msg.includes('high demand')
+            || msg.includes('RESOURCE_EXHAUSTED')
+            || msg.includes('Quota exceeded');
+    }
+
+    /**
+     * Generate AI analysis with retry logic
      * @param {string} prompt - Analysis prompt
-     * @returns {Promise<string>} - AI response
+     * @returns {Promise<string|null>} - AI response or null on failure
      */
     async analyze(prompt) {
         if (!this.enabled) {
             return null;
         }
 
-        try {
-            const result = await Promise.race([
-                this.model.generateContent(prompt),
-                new Promise((_, reject) =>
-                    setTimeout(() => reject(new Error('AI request timeout')), this.timeout)
-                )
-            ]);
-
-            const response = await result.response;
-            return response.text();
-        } catch (err) {
-            console.error('[Gemini] AI analysis failed:', err.message);
-            return null;
+        let lastError = null;
+
+        for (let attempt = 0; attempt < MAX_RETRIES; attempt++) {
+            try {
+                const result = await Promise.race([
+                    this.model.generateContent(prompt),
+                    new Promise((_, reject) =>
+                        setTimeout(() => reject(new Error('AI request timeout')), this.timeout)
+                    )
+                ]);
+
+                const response = await result.response;
+                const text = response.text();
+
+                if (text) {
+                    return text;
+                }
+
+                console.warn('[Gemini] Empty response from AI, retrying...');
+                lastError = new Error('Empty AI response');
+            } catch (err) {
+                lastError = err;
+
+                if (this._isRetryable(err) && attempt < MAX_RETRIES - 1) {
+                    const backoff = INITIAL_BACKOFF_MS * Math.pow(2, attempt);
+                    console.warn(`[Gemini] Retryable error (attempt ${attempt + 1}/${MAX_RETRIES}): ${err.message}. Retrying in ${backoff}ms...`);
+                    await this._sleep(backoff);
+                    continue;
+                }
+
+                break;
+            }
         }
+
+        console.error(`[Gemini] AI analysis failed after ${MAX_RETRIES} attempts:`, lastError?.message);
+        return null;
     }
 
     /**

package/ai/prompt-templates.js

@@ -1,61 +1,41 @@
 // honeyweb-core/ai/prompt-templates.js
 // AI prompt templates for threat analysis
 
-/**
- * Generate threat analysis prompt
- * @param {Object} data - Threat data
- * @returns {string} - Formatted prompt
- */
 function generateThreatAnalysisPrompt(data) {
-    const { ip, path, threats, userAgent, referer, method, timestamp } = data;
+    const { ip, path, threats, userAgent, method, timestamp } = data;
 
-    return `You are a cybersecurity analyst. Analyze this suspicious web request and provide a concise threat assessment.
+    return `Cybersecurity analyst for HoneyWeb honeypot. Analyze this attack. Plain text only, no markdown or asterisks. Use UPPERCASE headers.
 
-**Request Details:**
-- IP Address: ${ip}
-- Path: ${path}
-- Method: ${method}
-- User-Agent: ${userAgent || 'Not provided'}
-- Referer: ${referer || 'Not provided'}
-- Timestamp: ${new Date(timestamp).toISOString()}
+REQUEST: ${method} ${path} from ${ip}
+User-Agent: ${userAgent || 'N/A'}
+Time: ${new Date(timestamp).toISOString()}
+Threats: ${threats.join('; ')}
 
-**Detected Threats:**
-${threats.map(t => `- ${t}`).join('\n')}
+Respond with:
+CLASSIFICATION: Attack type and technique.
+RISK: Severity (CRITICAL/HIGH/MEDIUM/LOW), impact if successful.
+PROFILE: Skill level, likely tool, automated or manual.
+ACTIONS: Immediate and long-term defenses.
 
-**Analysis Required:**
-1. What type of attack is this likely to be?
-2. What is the attacker's probable intent?
-3. What vulnerabilities are they trying to exploit?
-4. Recommended defensive actions?
-
-Provide a brief, actionable report (3-4 sentences).`;
+Keep to 4-6 sentences total.`;
 }
 
-/**
- * Generate trap trigger analysis prompt
- * @param {Object} data - Trap trigger data
- * @returns {string} - Formatted prompt
- */
 function generateTrapAnalysisPrompt(data) {
     const { ip, path, userAgent, timestamp } = data;
 
-    return `A honeypot trap was triggered. Analyze this bot behavior:
-
-**Bot Details:**
-- IP Address: ${ip}
-- Trap Path: ${path}
-- User-Agent: ${userAgent || 'Not provided'}
-- Timestamp: ${new Date(timestamp).toISOString()}
+    return `Cybersecurity analyst for HoneyWeb honeypot. A hidden trap link (invisible to humans) was accessed. Plain text only, no markdown or asterisks. Use UPPERCASE headers.
 
-**Context:**
-The bot accessed an invisible honeypot link that legitimate users cannot see. This indicates automated crawling behavior.
+TRAP HIT: ${path} from ${ip}
+User-Agent: ${userAgent || 'N/A'}
+Time: ${new Date(timestamp).toISOString()}
 
-**Analysis Required:**
-1. What type of bot is this (scraper, vulnerability scanner, etc.)?
-2. What is the bot's likely purpose?
-3. Is this a sophisticated or basic bot?
+Respond with:
+BOT TYPE: What kind of bot and why.
+SOPHISTICATION: BASIC/INTERMEDIATE/ADVANCED with reason.
+THREAT: Severity (CRITICAL/HIGH/MEDIUM/LOW), malicious or benign.
+ACTIONS: Recommended next steps.
 
-Provide a brief assessment (2-3 sentences).`;
+Keep to 3-5 sentences total.`;
 }
 
 module.exports = {

package/config/defaults.js

@@ -6,8 +6,8 @@ module.exports = {
     ai: {
         enabled: true,
         apiKey: process.env.HONEYWEB_API_KEY || '',
-        model: 'gemini-2.0-flash-exp',
-        timeout: 10000
+        model: 'gemini-3-flash-preview',
+        timeout: 30000
     },
 
     // Detection Configuration
@@ -18,14 +18,14 @@ module.exports = {
             xss: true
         },
         behavioral: {
-            enabled: false, // Phase 2 feature
+            enabled: true, // Phase 2 feature - ENABLED
             suspicionThreshold: 50,
             trackTiming: true,
             trackNavigation: true
         },
         whitelist: {
-            enabled: false, // Phase 2 feature
-            verifyDNS: true,
+            enabled: true, // Phase 2 feature - ENABLED
+            verifyDNS: true, // DNS verification ENABLED
             cacheTTL: 86400000, // 24 hours
             bots: ['Googlebot', 'Bingbot', 'Slackbot', 'facebookexternalhit']
         }
@@ -45,7 +45,7 @@ module.exports = {
         path: './blocked-ips.json',
         async: true,
         cache: true,
-        banDuration: 86400000, // 24 hours
+        banDuration: 300000, // 24 hours
         autoCleanup: true
     },
 

package/config/index.js

@@ -58,6 +58,9 @@ function loadConfig(userConfig = {}) {
     if (process.env.HONEYWEB_API_KEY) {
         config.ai.apiKey = process.env.HONEYWEB_API_KEY;
     }
+    if (process.env.HONEYWEB_AI_MODEL) {
+        config.ai.model = process.env.HONEYWEB_AI_MODEL;
+    }
     if (process.env.HONEYWEB_DASHBOARD_SECRET) {
         config.dashboard.secret = process.env.HONEYWEB_DASHBOARD_SECRET;
     }

package/index.js

@@ -4,6 +4,7 @@
 
 const { loadConfig } = require('./config');
 const { createStorage } = require('./storage');
+const BotTracker = require('./storage/bot-tracker');
 const DetectionEngine = require('./detection');
 const AIAnalyzer = require('./ai');
 const Logger = require('./utils/logger');
@@ -23,11 +24,12 @@ function honeyWeb(userConfig = {}) {
     const logger = new Logger(config.logging);
     const events = new HoneyWebEvents();
     const storage = createStorage(config.storage);
+    const botTracker = new BotTracker(); // Track legitimate bot visits
     const detector = new DetectionEngine(config);
     const aiAnalyzer = new AIAnalyzer(config.ai);
 
     // 3. Create middleware
-    const middleware = createMiddleware(config, storage, detector, aiAnalyzer, logger, events);
+    const middleware = createMiddleware(config, storage, botTracker, detector, aiAnalyzer, logger, events);
 
     // 4. Attach event emitter and utilities to middleware function
     middleware.on = events.on.bind(events);
@@ -35,6 +37,7 @@ function honeyWeb(userConfig = {}) {
     middleware.off = events.off.bind(events);
     middleware.events = events;
     middleware.storage = storage;
+    middleware.botTracker = botTracker;
     middleware.detector = detector;
     middleware.logger = logger;
     middleware.config = config;

package/middleware/dashboard.js

@@ -1,169 +1,291 @@
 // honeyweb-core/middleware/dashboard.js
-// Dashboard middleware (extracted from main index.js)
-
-/**
- * Create dashboard middleware
- * @param {Object} config - Configuration
- * @param {Object} storage - Storage instance
- * @param {Object} detector - Detection engine
- * @returns {Function} - Middleware function
- */
-function createDashboard(config, storage, detector) {
+// Dashboard middleware with cookie-based auth (no credentials in URL)
+
+const crypto = require('crypto');
+
+function createDashboard(config, storage, botTracker, detector, events) {
     const dashboardPath = config.dashboard.path;
     const dashboardSecret = config.dashboard.secret;
+    const sessionToken = crypto.createHash('sha256').update(dashboardSecret + ':honeyweb-session').digest('hex');
+
+    const aiReports = [];
+    const MAX_AI_REPORTS = 20;
+
+    if (events && events.on) {
+        events.on('ai:analysis', ({ ip, report, timestamp }) => {
+            aiReports.unshift({ ip, report, timestamp });
+            if (aiReports.length > MAX_AI_REPORTS) aiReports.pop();
+        });
+    }
+
+    function isAuthenticated(req) {
+        const cookieHeader = req.headers.cookie || '';
+        const match = cookieHeader.match(/honeyweb_session=([^;]+)/);
+        return match && match[1] === sessionToken;
+    }
+
+    function renderLoginPage(res, error) {
+        const errorHtml = error
+            ? `<div class="error-msg">${error}</div>`
+            : '';
+        res.send(`<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>HoneyWeb &mdash; Dashboard Login</title>
+    <style>
+        *,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+        body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;background:#0f1923;color:#c9d1d9;display:flex;justify-content:center;align-items:center;min-height:100vh}
+        .card{background:#161b22;border:1px solid #21262d;border-radius:12px;padding:44px 36px;width:380px;text-align:center}
+        .card h1{font-size:1.5em;color:#e6edf3;margin-bottom:4px}
+        .card .sub{color:#8b949e;font-size:0.85em;margin-bottom:28px}
+        .error-msg{background:rgba(248,81,73,0.1);border:1px solid #f85149;color:#f85149;border-radius:6px;padding:10px 14px;margin-bottom:18px;font-size:0.88em}
+        input[type="password"]{width:100%;padding:12px 14px;background:#0d1117;border:1px solid #30363d;border-radius:6px;color:#e6edf3;font-size:0.95em;transition:border-color .2s}
+        input[type="password"]:focus{outline:none;border-color:#58a6ff;box-shadow:0 0 0 3px rgba(88,166,255,0.15)}
+        input[type="password"]::placeholder{color:#484f58}
+        button{width:100%;padding:13px;background:#238636;color:#fff;border:none;border-radius:6px;font-size:1em;font-weight:600;cursor:pointer;margin-top:14px;transition:background .2s}
+        button:hover{background:#2ea043}
+        .footer-note{margin-top:20px;font-size:0.72em;color:#484f58}
+    </style>
+</head>
+<body>
+    <div class="card">
+        <h1>HoneyWeb Dashboard</h1>
+        <p class="sub">Enter the dashboard secret to continue</p>
+        ${errorHtml}
+        <form method="POST" action="${dashboardPath}">
+            <input type="password" name="secret" placeholder="Dashboard secret" autofocus required>
+            <button type="submit">Authenticate</button>
+        </form>
+        <p class="footer-note">Session expires after 1 hour</p>
+    </div>
+</body>
+</html>`);
+    }
 
     return async function dashboard(req, res, next) {
-        // Only handle dashboard path
-        if (req.path !== dashboardPath) {
-            return next();
+        if (req.path !== dashboardPath) return next();
+
+        // POST login
+        if (req.method === 'POST') {
+            const submitted = req.body && req.body.secret;
+            if (submitted === dashboardSecret) {
+                res.setHeader('Set-Cookie', `honeyweb_session=${sessionToken}; HttpOnly; Path=${dashboardPath}; SameSite=Strict; Max-Age=3600`);
+                return res.redirect(303, dashboardPath);
+            }
+            return renderLoginPage(res, 'Invalid secret. Try again.');
         }
 
-        // Check authentication
-        const key = req.query.key;
-        if (key !== dashboardSecret) {
-            return res.status(401).send('<h1>401 Unauthorized</h1><p>Invalid dashboard key.</p>');
+        // Legacy ?key= support (redirect to clean URL)
+        if (req.query.key) {
+            if (req.query.key === dashboardSecret) {
+                res.setHeader('Set-Cookie', `honeyweb_session=${sessionToken}; HttpOnly; Path=${dashboardPath}; SameSite=Strict; Max-Age=3600`);
+                return res.redirect(303, dashboardPath);
+            }
+            return res.status(401).send('<h1>401 Unauthorized</h1>');
         }
 
+        if (!isAuthenticated(req)) return renderLoginPage(res);
+
         try {
-            // Get banned IPs
             const bannedIPs = await storage.getAll();
             const stats = await storage.getStats();
             const detectionStats = detector.getStats();
+            const botVisits = botTracker.getAllVisits();
+            const botStats = botTracker.getStats();
 
-            // Generate HTML dashboard
-            const html = `
-<!DOCTYPE html>
-<html>
+            const html = `<!DOCTYPE html>
+<html lang="en">
 <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>HoneyWeb Status Dashboard</title>
+    <meta http-equiv="refresh" content="10">
     <style>
-        body {
-            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
-            max-width: 1200px;
-            margin: 40px auto;
-            padding: 20px;
-            background: #f5f5f5;
-        }
-        h1 {
-            color: #333;
-            border-bottom: 3px solid #ff6b6b;
-            padding-bottom: 10px;
-        }
-        .stats {
-            display: grid;
-            grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
-            gap: 20px;
-            margin: 20px 0;
-        }
-        .stat-card {
-            background: white;
-            padding: 20px;
-            border-radius: 8px;
-            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
-        }
-        .stat-card h3 {
-            margin: 0 0 10px 0;
-            color: #666;
-            font-size: 14px;
-            text-transform: uppercase;
-        }
-        .stat-card .value {
-            font-size: 32px;
-            font-weight: bold;
-            color: #ff6b6b;
-        }
-        table {
-            width: 100%;
-            background: white;
-            border-collapse: collapse;
-            border-radius: 8px;
-            overflow: hidden;
-            box-shadow: 0 2px 4px rgba(0,0,0,0.1);
-        }
-        th {
-            background: #ff6b6b;
-            color: white;
-            padding: 12px;
-            text-align: left;
-        }
-        td {
-            padding: 12px;
-            border-bottom: 1px solid #eee;
-        }
-        tr:hover {
-            background: #f9f9f9;
-        }
-        .timestamp {
-            color: #666;
-            font-size: 12px;
-        }
-        .reason {
-            color: #ff6b6b;
-            font-weight: 500;
-        }
+        *,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+        body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-serif;background:#0f1923;color:#c9d1d9;min-height:100vh}
+        a{color:#58a6ff;text-decoration:none}
+        code{font-family:'Cascadia Code','Fira Code',Consolas,monospace;background:#0d1117;padding:2px 6px;border-radius:4px;font-size:0.88em;color:#e6edf3}
+        pre{font-family:'Cascadia Code','Fira Code',Consolas,monospace}
+
+        /* Layout */
+        .wrap{max-width:1100px;margin:0 auto;padding:32px 24px 48px}
+        .top-bar{display:flex;align-items:center;justify-content:space-between;margin-bottom:32px;flex-wrap:wrap;gap:12px}
+        .top-bar h1{font-size:1.6em;color:#e6edf3}
+        .top-bar h1 span{color:#58a6ff}
+        .top-bar .meta{color:#484f58;font-size:0.78em}
+
+        /* Stat cards */
+        .stats{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:16px;margin-bottom:36px}
+        .stat{background:#161b22;border:1px solid #21262d;border-radius:8px;padding:20px}
+        .stat .label{font-size:0.75em;text-transform:uppercase;letter-spacing:.5px;color:#8b949e;margin-bottom:8px;font-weight:600}
+        .stat .val{font-size:1.8em;font-weight:700;color:#f85149}
+        .stat .val.green{color:#238636}
+        .stat .val.blue{color:#58a6ff}
+
+        /* Section headers */
+        .section-hdr{font-size:1.15em;color:#e6edf3;margin:32px 0 16px;padding-bottom:8px;border-bottom:1px solid #21262d;display:flex;align-items:center;gap:10px}
+
+        /* Card generic */
+        .card{background:#161b22;border:1px solid #21262d;border-radius:8px;padding:20px 24px;margin-bottom:14px}
+
+        /* Bot cards */
+        .bot-hdr{display:flex;align-items:center;gap:10px;flex-wrap:wrap;margin-bottom:8px}
+        .bot-hdr h3{color:#e6edf3;font-size:1em;margin:0}
+        .badge{padding:3px 8px;border-radius:12px;font-size:0.7em;font-weight:700;text-transform:uppercase;letter-spacing:.3px}
+        .badge-green{background:rgba(35,134,54,0.15);color:#3fb950}
+        .badge-orange{background:rgba(210,153,34,0.15);color:#d29922}
+        .bot-meta{color:#8b949e;font-size:0.82em;margin-bottom:10px}
+        .visit-row{padding:10px 14px;border-left:3px solid #238636;background:#0d1117;border-radius:0 6px 6px 0;margin:8px 0;font-size:0.88em}
+        .visit-row .path{color:#e6edf3;font-weight:600;font-family:'Cascadia Code','Fira Code',Consolas,monospace}
+        .visit-row .vmeta{color:#484f58;font-size:0.8em;margin-top:4px}
+        details summary{cursor:pointer;color:#58a6ff;font-size:0.88em;margin-top:4px}
+        details summary:hover{text-decoration:underline}
+
+        /* AI reports */
+        .ai-card{background:#161b22;border:1px solid #21262d;border-radius:8px;padding:20px 24px;margin-bottom:14px}
+        .ai-header{display:flex;justify-content:space-between;align-items:center;margin-bottom:12px;flex-wrap:wrap;gap:8px}
+        .ai-header .ip-tag{background:rgba(248,81,73,0.1);color:#f85149;padding:4px 10px;border-radius:12px;font-size:0.78em;font-weight:600}
+        .ai-header .ts{color:#484f58;font-size:0.78em}
+        .ai-body{background:#0d1117;border:1px solid #21262d;border-radius:6px;padding:16px;white-space:pre-wrap;word-wrap:break-word;font-size:0.85em;line-height:1.6;color:#c9d1d9}
+
+        /* Banned table */
+        .ban-table{width:100%;border-collapse:collapse;background:#161b22;border:1px solid #21262d;border-radius:8px;overflow:hidden}
+        .ban-table th{background:#1a2332;color:#8b949e;font-size:0.75em;text-transform:uppercase;letter-spacing:.5px;font-weight:600;padding:12px 16px;text-align:left;border-bottom:1px solid #21262d}
+        .ban-table td{padding:12px 16px;border-bottom:1px solid #21262d;font-size:0.9em}
+        .ban-table tr:last-child td{border-bottom:none}
+        .ban-table tr:hover td{background:#1a2332}
+        .ban-table .reason{color:#f85149;font-weight:500}
+        .ban-table .ts{color:#484f58;font-size:0.8em}
+
+        /* Empty states */
+        .empty{text-align:center;padding:36px;color:#484f58;background:#161b22;border:1px solid #21262d;border-radius:8px}
+        .empty p:first-child{font-size:0.95em;color:#8b949e}
+        .empty p.hint{font-size:0.78em;margin-top:8px}
+
+        /* Footer */
+        .dash-footer{text-align:center;color:#484f58;font-size:0.75em;margin-top:40px;padding-top:16px;border-top:1px solid #21262d}
+
+        /* Logout */
+        .logout-btn{background:none;border:1px solid #30363d;color:#8b949e;padding:6px 14px;border-radius:6px;font-size:0.8em;cursor:pointer;transition:all .2s}
+        .logout-btn:hover{border-color:#f85149;color:#f85149}
     </style>
 </head>
 <body>
-    <h1>🍯 HoneyWeb Status Dashboard</h1>
+<div class="wrap">
 
+    <div class="top-bar">
+        <h1><span>HoneyWeb</span> Dashboard</h1>
+        <div style="display:flex;align-items:center;gap:16px;">
+            <span class="meta">Auto-refresh every 10s</span>
+            <form method="POST" action="${dashboardPath}" style="margin:0">
+                <input type="hidden" name="secret" value="">
+                <button type="button" class="logout-btn" onclick="document.cookie='honeyweb_session=;Path=${dashboardPath};Max-Age=0';location.reload()">Logout</button>
+            </form>
+        </div>
+    </div>
+
+    <!-- Stats -->
     <div class="stats">
-        <div class="stat-card">
-            <h3>Total Banned IPs</h3>
-            <div class="value">${stats.total}</div>
+        <div class="stat">
+            <div class="label">Banned IPs (Total)</div>
+            <div class="val">${stats.total}</div>
         </div>
-        <div class="stat-card">
-            <h3>Active Bans</h3>
-            <div class="value">${stats.active}</div>
+        <div class="stat">
+            <div class="label">Active Bans</div>
+            <div class="val">${stats.active}</div>
         </div>
-        <div class="stat-card">
-            <h3>Expired Bans</h3>
-            <div class="value">${stats.expired}</div>
+        <div class="stat">
+            <div class="label">Legitimate Bots</div>
+            <div class="val green">${botStats.totalBots}</div>
         </div>
-        ${detectionStats.rateLimiter ? `
-        <div class="stat-card">
-            <h3>Tracked IPs</h3>
-            <div class="value">${detectionStats.rateLimiter.trackedIPs}</div>
+        <div class="stat">
+            <div class="label">Bot Visits</div>
+            <div class="val green">${botStats.totalVisits}</div>
         </div>
-        ` : ''}
+        ${detectionStats.rateLimiter ? `
+        <div class="stat">
+            <div class="label">Tracked IPs</div>
+            <div class="val blue">${detectionStats.rateLimiter.trackedIPs}</div>
+        </div>` : ''}
     </div>
 
-    <h2>Banned IP Addresses</h2>
-    ${bannedIPs.length === 0 ? '<p>No banned IPs yet.</p>' : `
-    <table>
+    <!-- Legitimate Bots -->
+    <div class="section-hdr">Legitimate Bot Activity</div>
+    ${Object.keys(botVisits).length === 0 ? `
+        <div class="empty">
+            <p>No legitimate bots detected yet.</p>
+            <p class="hint">Googlebot, Bingbot, and other search engines will appear here when they visit your site.</p>
+        </div>
+    ` : Object.entries(botVisits).map(([botName, visits]) => `
+        <div class="card">
+            <div class="bot-hdr">
+                <h3>${botName}</h3>
+                <span class="badge badge-green">${visits.filter(v => v.verified).length} verified</span>
+                ${visits.filter(v => !v.verified).length > 0 ? `<span class="badge badge-orange">${visits.filter(v => !v.verified).length} unverified</span>` : ''}
+            </div>
+            <div class="bot-meta">Total visits: ${visits.length} &middot; Most recent: ${new Date(visits[0].timestamp).toLocaleString()}</div>
+            <details>
+                <summary>View recent visits (last ${Math.min(visits.length, 10)})</summary>
+                ${visits.slice(0, 10).map(visit => `
+                    <div class="visit-row">
+                        <div class="path">${visit.path}</div>
+                        <div class="vmeta">IP: <code>${visit.ip}</code> &middot; ${visit.verified ? 'DNS Verified' : 'Unverified'} &middot; ${new Date(visit.timestamp).toLocaleString()}</div>
+                    </div>
+                `).join('')}
+            </details>
+        </div>
+    `).join('')}
+
+    <!-- AI Analysis -->
+    <div class="section-hdr">AI Threat Analysis</div>
+    ${aiReports.length === 0 ? `
+        <div class="empty">
+            <p>No AI analysis reports yet.</p>
+            <p class="hint">Reports will appear here when threats or traps are detected and analyzed by Gemini.</p>
+        </div>
+    ` : aiReports.slice(0, 10).map(r => `
+        <div class="ai-card">
+            <div class="ai-header">
+                <span class="ip-tag">IP: ${r.ip}</span>
+                <span class="ts">${new Date(r.timestamp).toLocaleString()}</span>
+            </div>
+            <div class="ai-body">${r.report}</div>
+        </div>
+    `).join('')}
+
+    <!-- Banned IPs -->
+    <div class="section-hdr">Banned IP Addresses</div>
+    ${bannedIPs.length === 0 ? `
+        <div class="empty"><p>No banned IPs yet.</p></div>
+    ` : `
+    <table class="ban-table">
         <thead>
             <tr>
                 <th>IP Address</th>
                 <th>Reason</th>
                 <th>Banned At</th>
-                <th>Expires At</th>
+                <th>Expires</th>
             </tr>
         </thead>
         <tbody>
             ${bannedIPs.map(entry => {
                 const ip = typeof entry === 'string' ? entry : entry.ip;
                 const reason = typeof entry === 'string' ? 'Suspicious activity' : entry.reason;
-                const timestamp = typeof entry === 'string' ? 'N/A' : new Date(entry.timestamp).toLocaleString();
+                const ts = typeof entry === 'string' ? 'N/A' : new Date(entry.timestamp).toLocaleString();
                 const expiry = typeof entry === 'string' ? 'Never' : new Date(entry.expiry).toLocaleString();
-
-                return `
-                <tr>
-                    <td><code>${ip}</code></td>
-                    <td class="reason">${reason}</td>
-                    <td class="timestamp">${timestamp}</td>
-                    <td class="timestamp">${expiry}</td>
-                </tr>
-                `;
+                return `<tr><td><code>${ip}</code></td><td class="reason">${reason}</td><td class="ts">${ts}</td><td class="ts">${expiry}</td></tr>`;
             }).join('')}
         </tbody>
     </table>
     `}
 
-    <p style="margin-top: 40px; color: #666; text-align: center;">
-        HoneyWeb v1.0.2 | Refresh page to update data
-    </p>
+    <div class="dash-footer">HoneyWeb v2.0.1 &middot; Refresh page to update data</div>
+
+</div>
 </body>
-</html>
-            `;
+</html>`;
 
             res.send(html);
         } catch (err) {

package/middleware/index.js

@@ -10,19 +10,21 @@ const createDashboard = require('./dashboard');
  * Create HoneyWeb middleware stack
  * @param {Object} config - Configuration
  * @param {Object} storage - Storage instance
+ * @param {Object} botTracker - Bot tracker instance
  * @param {Object} detector - Detection engine
  * @param {Object} aiAnalyzer - AI analyzer
  * @param {Object} logger - Logger instance
  * @param {Object} events - Event emitter
  * @returns {Function} - Express middleware function
  */
-function createMiddleware(config, storage, detector, aiAnalyzer, logger, events) {
+function createMiddleware(config, storage, botTracker, detector, aiAnalyzer, logger, events) {
     // Create individual middleware components
     const blocklistChecker = createBlocklistChecker(storage, logger, events);
-    const requestAnalyzer = createRequestAnalyzer(config, storage, detector, aiAnalyzer, logger, events);
+    const requestAnalyzer = createRequestAnalyzer(config, storage, botTracker, detector, aiAnalyzer, logger, events);
     const trapInjector = createTrapInjector(config);
+    const trapPaths = config.traps.paths;
     const dashboard = config.dashboard.enabled
-        ? createDashboard(config, storage, detector)
+        ? createDashboard(config, storage, botTracker, detector, events)
         : null;
 
     // Return combined middleware function
@@ -33,7 +35,20 @@ function createMiddleware(config, storage, detector, aiAnalyzer, logger, events)
                 return dashboard(req, res, next);
             }
 
-            // 2. Check blocklist
+            // 2. If this is a trap path, ALWAYS run the analyzer first
+            //    so trap triggers are logged + AI-analyzed even for banned IPs
+            if (trapPaths.includes(req.path)) {
+                await new Promise((resolve, reject) => {
+                    requestAnalyzer(req, res, (err) => {
+                        if (err) reject(err);
+                        else resolve();
+                    });
+                });
+                // Analyzer already sent 403 for traps
+                if (res.headersSent) return;
+            }
+
+            // 3. Check blocklist (non-trap requests)
             await new Promise((resolve, reject) => {
                 blocklistChecker(req, res, (err) => {
                     if (err) reject(err);
@@ -46,7 +61,7 @@ function createMiddleware(config, storage, detector, aiAnalyzer, logger, events)
                 return;
             }
 
-            // 3. Analyze request (traps + threats)
+            // 4. Analyze request (patterns, rate limiting, behavioral)
             await new Promise((resolve, reject) => {
                 requestAnalyzer(req, res, (err) => {
                     if (err) reject(err);
@@ -59,7 +74,7 @@ function createMiddleware(config, storage, detector, aiAnalyzer, logger, events)
                 return;
             }
 
-            // 4. Inject traps into HTML responses
+            // 5. Inject traps into HTML responses
             trapInjector(req, res, next);
 
         } catch (err) {

package/middleware/request-analyzer.js

@@ -5,19 +5,44 @@
  * Create request analyzer middleware
  * @param {Object} config - Configuration
  * @param {Object} storage - Storage instance
+ * @param {Object} botTracker - Bot tracker instance
  * @param {Object} detector - Detection engine
  * @param {Object} aiAnalyzer - AI analyzer
  * @param {Object} logger - Logger instance
  * @param {Object} events - Event emitter
  * @returns {Function} - Middleware function
  */
-function createRequestAnalyzer(config, storage, detector, aiAnalyzer, logger, events) {
+function createRequestAnalyzer(config, storage, botTracker, detector, aiAnalyzer, logger, events) {
     const trapPaths = config.traps.paths;
 
     return async function analyzeRequest(req, res, next) {
         const clientIP = req.ip || req.connection.remoteAddress;
 
-        // 1. CHECK IF TRAP ACCESSED
+        // 1. THREAT DETECTION (whitelist check happens FIRST to protect legit bots)
+        const analysis = await detector.analyze(req, clientIP);
+
+        // Skip ALL checks if legitimate bot (even trap paths!)
+        if (analysis.legitimateBot) {
+            // Record legitimate bot visit for dashboard
+            botTracker.recordVisit({
+                botName: analysis.whitelist.botName,
+                ip: clientIP,
+                path: req.path,
+                userAgent: req.headers['user-agent'],
+                verified: analysis.whitelist.verified,
+                timestamp: Date.now()
+            });
+
+            logger.info('Legitimate bot detected', {
+                ip: clientIP,
+                botName: analysis.whitelist.botName,
+                verified: analysis.whitelist.verified,
+                path: req.path
+            });
+            return next();
+        }
+
+        // 2. CHECK IF TRAP ACCESSED (only after confirming not a legit bot)
         if (trapPaths.includes(req.path)) {
             logger.trapTriggered(clientIP, req.path);
             events.emitTrapTriggered(clientIP, req.path);
@@ -41,10 +66,14 @@ function createRequestAnalyzer(config, storage, detector, aiAnalyzer, logger, ev
                     if (report) {
                         logger.info('AI Trap Analysis', { ip: clientIP, report });
                         events.emitAiAnalysis(clientIP, report);
+                    } else {
+                        logger.warn('AI returned empty report for trap', { ip: clientIP, path: req.path });
                     }
                 }).catch(err => {
-                    logger.error('AI analysis failed', { error: err.message });
+                    logger.error('AI trap analysis failed', { error: err.message });
                 });
+            } else {
+                logger.info('AI is disabled, skipping trap analysis');
             }
 
             return res.status(403).send(
@@ -52,18 +81,7 @@ function createRequestAnalyzer(config, storage, detector, aiAnalyzer, logger, ev
             );
         }
 
-        // 2. THREAT DETECTION (patterns + rate limiting + behavioral + bot detection)
-        const analysis = await detector.analyze(req, clientIP);
-
-        // Skip blocking if legitimate bot
-        if (analysis.legitimateBot) {
-            logger.info('Legitimate bot detected', {
-                ip: clientIP,
-                botName: analysis.whitelist.botName,
-                verified: analysis.whitelist.verified
-            });
-            return next();
-        }
+        // 3. OTHER THREAT DETECTION (patterns, rate limiting, behavioral)
 
         if (analysis.detected) {
             logger.threatDetected(clientIP, analysis.threats, analysis.threatLevel);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "honeyweb-core",
-  "version": "2.0.0",
+  "version": "2.0.3",
   "description": "Production-ready honeypot middleware with behavioral analysis, bot fingerprinting, and AI threat intelligence",
   "main": "index.js",
   "scripts": {

package/storage/bot-tracker.js

@@ -0,0 +1,109 @@
+// honeyweb-core/storage/bot-tracker.js
+// Track legitimate bot visits for dashboard display
+
+class BotTracker {
+    constructor() {
+        this.botVisits = new Map(); // botName -> array of visits
+        this.maxVisitsPerBot = 50; // Keep last 50 visits per bot
+    }
+
+    /**
+     * Record a legitimate bot visit
+     * @param {Object} visit - Visit data
+     */
+    recordVisit(visit) {
+        const { botName, ip, path, userAgent, verified, timestamp } = visit;
+
+        if (!this.botVisits.has(botName)) {
+            this.botVisits.set(botName, []);
+        }
+
+        const visits = this.botVisits.get(botName);
+
+        // Add new visit at the beginning (most recent first)
+        visits.unshift({
+            ip,
+            path,
+            userAgent,
+            verified,
+            timestamp: timestamp || Date.now()
+        });
+
+        // Keep only last N visits
+        if (visits.length > this.maxVisitsPerBot) {
+            visits.pop();
+        }
+    }
+
+    /**
+     * Get all bot visits grouped by bot name
+     * @returns {Object} - Bot visits grouped by name
+     */
+    getAllVisits() {
+        const result = {};
+
+        for (const [botName, visits] of this.botVisits.entries()) {
+            result[botName] = visits;
+        }
+
+        return result;
+    }
+
+    /**
+     * Get visits for a specific bot
+     * @param {string} botName - Bot name
+     * @returns {Array} - Array of visits
+     */
+    getVisitsByBot(botName) {
+        return this.botVisits.get(botName) || [];
+    }
+
+    /**
+     * Get statistics
+     * @returns {Object} - Statistics
+     */
+    getStats() {
+        let totalVisits = 0;
+        const botCounts = {};
+
+        for (const [botName, visits] of this.botVisits.entries()) {
+            totalVisits += visits.length;
+            botCounts[botName] = visits.length;
+        }
+
+        return {
+            totalBots: this.botVisits.size,
+            totalVisits,
+            botCounts
+        };
+    }
+
+    /**
+     * Clear all bot visits
+     */
+    clear() {
+        this.botVisits.clear();
+    }
+
+    /**
+     * Cleanup old visits (older than 7 days)
+     */
+    cleanup() {
+        const maxAge = 7 * 24 * 60 * 60 * 1000; // 7 days
+        const now = Date.now();
+
+        for (const [botName, visits] of this.botVisits.entries()) {
+            const filtered = visits.filter(visit => {
+                return (now - visit.timestamp) < maxAge;
+            });
+
+            if (filtered.length === 0) {
+                this.botVisits.delete(botName);
+            } else {
+                this.botVisits.set(botName, filtered);
+            }
+        }
+    }
+}
+
+module.exports = BotTracker;